An organization has a Cisco ESA set up with DLP policies and would like to customize the action assigned for violations. The organization wants a copy of the message to be delivered with a message added to flag it as a DLP violation. Which actions must be performed in order to provide this capability?
To address the organization's requirement to deliver a copy of the message with a flag indicating a DLP violation, the appropriate actions are to deliver the message and add disclaimer text. Delivering ensures the recipient receives the original message, while adding disclaimer text allows for a flag or warning about the DLP violation to be included in the message content. This meets the requirement of both delivering the message and flagging it as a DLP violation.
It is B. Read chapter 5. Creating Data Loss Prevention Message Actions https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/216086-best-practice-guide-for-data-loss-preven.html
Absolutely B. This is from Chapter 5 Vershinin speaks of: About DLP Message Actions DLP message actions describe what actions that the ESA will take when it detects a DLP violation in an outgoing email. You can specify primary and secondary DLP Actions and different actions can be assigned for different violation types and severities. Primary actions include: Deliver Drop Quarantine For a read-only state where DLP violations are logged and reported but the messages are not stopped/quarantined or encrypted, the Deliver action is most often used.
Here is the rest (can't edit original post) Secondary actions include: Sending a copy to any custom quarantine or the ‘Policy’ quarantine. Encrypt the message. The appliance only encrypts the message body. It does not encrypt the message headers. Altering the Subject header. Adding disclaimer text/HTML to the message. Sending the message to an alternate destination mailhost. Sending bcc copies of the message. Sending DLP violation notification to the sender and/or other contacts.
You meant A, wrote B. A) deliver and add disclaimer text - exactly as explained above
It is definetely A. deliver and add disclaimer text
its deliver because the questions says "wants a copy of the message to be delivered" and in the Configuration guide "Note If you select Deliver, you can choose to have a copy of the message sent to a policy quarantine. The copy of the message is a perfect clone, including the Message ID." then add disclaimer text because the question says "to be delivered with a message added to flag it as a DLP violation" and in configuration guide it says : "To include disclaimer text when delivering messages with DLP violations or suspected violations, specify disclaimer text in Mail Policies" so answer is A
as per https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/216086-best-practice-guide-for-data-loss-preven.html Primary actions include: Deliver Drop Quarantine For a read-only state where DLP violations are logged and reported but the messages are not stopped/quarantined or encrypted, the Deliver action is most often used. Secondary actions include: Sending a copy to any custom quarantine or the ‘Policy’ quarantine. Encrypt the message. The appliance only encrypts the message body. It does not encrypt the message headers. Altering the Subject header. Adding disclaimer text/HTML to the message. Sending the message to an alternate destination mailhost. Sending bcc copies of the message. Sending DLP violation notification to the sender and/or other contacts.
Absolutely A!
IT is D, look this scenario: Sending copies (bcc) of messages to other recipients. For example, you could copy messages with critical DLP violations to a compliance officer's mailbox for examination. ----------------------- Not A, Not B, Because not mentioned about "send a copy of message" Not B, Although you guys mentioned about the below secondary action in your comments, But in the second option (B) there is not any sign of a copy of message (((Secondary actions include: Sending a copy to a policy quarantine if you choose to deliver the message. The copy is a perfect clone of the original, including the Message ID. Quarantining a copy allows you to test the DLP system before deployment in addition to providing another way to monitor DLP violations. When you release the copy from the quarantine, the appliance delivers the copy to the recipient, who will have already received the original message.)))
B without a doubt. Emails violating internal DLP policies shouldn't be delivered, otherwise what's the point? The provided link explains it perfectly: 5. Creating Data Loss Prevention Message Actions Create DLP Quarantines If you’d like to keep a copy of messages violating DLP policies you can create individual Policy quarantines for each type of policy violation. This is especially useful when running a ‘transparent’ POV, where Outbound messages violating DLP policies are logged and delivered but no action is taken on the messages.
Misreaded that one... Seems that's A
the question states : ...The organization wants a copy of the message to be delivered... So B and C are excluded
I think B is correct (not too certain though) Primary actions include: Deliver Drop Quarantine Secondary actions include: Sending a copy to a policy quarantine if you choose to deliver the message. The copy is a perfect clone of the original, including the Message ID. Quarantining a copy allows you to test the DLP system before deployment in addition to providing another way to monitor DLP violations. When you release the copy from the quarantine, the appliance delivers the copy to the recipient, who will have already received the original message. https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_010001.html
As per the link Vl_Vershinin posted and under "Secondary actions include.."
Here I will choose "D". The question said the organization wants a "copy of the message to be delivered". Only option "D" would do "sending copies. Refer to "https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_010001.html#con_1304495", only this point can meet - "Sending copies (bcc) of messages to other recipients. (For example, you could copy messages with critical DLP violations to a compliance officer’s mailbox for examination.)".
Wrong URL quoted, it should be "https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/216086-best-practice-guide-for-data-loss-preven.html"
Sorry, I believe "A" is the answer https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/216086-best-practice-guide-for-data-loss-preven.html#:~:text=Adding%20disclaimer%20text/HTML%20to%20the%20message
deliver and add disclaimer text
A or B
I prefer A
It is D https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_010001.html
Answer is D. In the referenced guide, it mentions that you can take two actions for DLP messages, primary and secondary. Here the primary would be "Deliver" and secondary "Sending DLP violation notification to the sender and/or other contacts." It also says: "For a read-only state where DLP violations are logged and reported but the messages are not stopped/quarantined or encrypted, the Deliver action is most often used." Since the question clearly states that message needs to be delivered, the answer cannot be B or C. We're left with A and D. I am picking D because the secondary action it specifies is the only that sends violation notifications.
You specify primary and secondary actions that the appliance will take when it detects a possible DLP violation in an outgoing message. Different actions can be assigned for different violation types and severities.